Commit Graph

8 Commits

Author SHA1 Message Date
Will Fancher
fef26d88e2 systemd-initrd: Support secrets when boot loader doesn't
initrd-secrets: Fix service config with systemd-stage-1
2023-04-11 15:20:47 -04:00
Maximilian Bosch
819b0f4bb8
nixos/initrd-network-ssh: fix test
The test relied on moving `initrd` secrets from the store into the
`initrd` which was fine here as it's only an integration test and not a
production environment.

However, this broke in 20.09 when support for this was dropped[1]. To make
sure that the snakeoil key used as hostkey for `sshd` here actually gets
copied into the VM, I added a small script for this that takes care of
this process while building the initial ramdisk.

[1] d930466b77
2020-11-02 21:18:57 +01:00
Emily
d930466b77 nixos/initrd-ssh: switch from Dropbear to OpenSSH
Dropbear lags behind OpenSSH significantly in both support for modern
key formats like `ssh-ed25519`, let alone the recently-introduced
U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched
my `authorizedKeys` over to it and promptly locked myself out of my
server's initrd SSH, breaking reboots), as well as security features
like multiprocess isolation. Using the same SSH daemon for stage-1 and
the main system ensures key formats will always remain compatible, as
well as more conveniently allowing the sharing of configuration and
host keys.

The main reason to use Dropbear over OpenSSH would be initrd space
concerns, but NixOS initrds are already large (17 MiB currently on my
server), and the size difference between the two isn't huge (the test's
initrd goes from 9.7 MiB to 12 MiB with this change). If the size is
still a problem, then it would be easy to shrink sshd down to a few
hundred kilobytes by using an initrd-specific build that uses musl and
disables things like Kerberos support.

This passes the test and works on my server, but more rigorous testing
and review from people who use initrd SSH would be appreciated!
2020-03-25 08:26:50 +00:00
WilliButz
9a7101c999
nixos/tests/initrd-ssh: port to python 2019-11-07 11:30:02 +01:00
volth
08f68313a4 treewide: remove redundant rec 2019-08-28 11:07:32 +00:00
volth
2e979e8ceb [bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00
rnhmjoj
e239c1e582
nixos/tests: rename IP addresses/routes options 2018-02-17 14:57:07 +01:00
Tuomas Tynkkynen
dc5cd7800a tests/initrd-network-ssh: Don't build during evaluation
Issue #29774
2017-11-27 12:08:57 +02:00